Deployment — GCP Cloud Run

The backend is deployed to Google Cloud Run in region me-west1 (Tel Aviv).

Live URL: https://colibri-api-643619291153.me-west1.run.app

Deploy command

gcloud run deploy colibri-api \
  --source . \
  --region me-west1 \
  --project <YOUR_GCP_PROJECT_ID> \
  --allow-unauthenticated \
  --set-secrets=GEMINI_API_KEY=gemini_api_key:latest \
  --set-env-vars=FIREBASE_PROJECT_ID=<YOUR_FIREBASE_PROJECT_ID>,GEMINI_MODEL=gemini-2.5-flash

--source . — Cloud Run builds the Docker image automatically from the project source using the Dockerfile generated by dart_frog build.

Secrets (Secret Manager)

Sensitive values are stored in GCP Secret Manager and mounted at deploy time via --set-secrets:

Secret name (GCP)	Env var in container	Description
`gemini_api_key`	`GEMINI_API_KEY`	Google AI Studio API key

To create/update a secret:

echo -n "your-api-key" | gcloud secrets create gemini_api_key --data-file=-
# or update:
echo -n "your-new-key" | gcloud secrets versions add gemini_api_key --data-file=-

Environment variables

Passed at deploy time via --set-env-vars:

Variable	Value
`FIREBASE_PROJECT_ID`	Firebase project ID
`GEMINI_MODEL`	`gemini-2.5-flash`

Build locally (optional)

# Generate production build
dart_frog build

# Run with Docker
docker build -t colibri-api .
docker run -p 8080:8080 \
  -e GEMINI_API_KEY=... \
  -e FIREBASE_PROJECT_ID=... \
  -e GEMINI_MODEL=gemini-2.5-flash \
  colibri-api

IAM — required roles for deployment

The service account used by Cloud Run needs:

Role	Why
`roles/run.invoker`	Allow unauthenticated calls (if `--allow-unauthenticated`)
`roles/secretmanager.secretAccessor`	Read `gemini_api_key` from Secret Manager

Deploy command​

Secrets (Secret Manager)​

Environment variables​

Build locally (optional)​

IAM — required roles for deployment​

Related​

Deploy command

Secrets (Secret Manager)

Environment variables

Build locally (optional)

IAM — required roles for deployment

Related